-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-03:15.openssh                                    Security Advisory
                                                          The FreeBSD Project

Topic:          OpenSSH PAM challenge/authentication error

Category:       core
Module:         openssh
Announced:      2003-10-05
Credits:        The OpenSSH Project <openssh@openssh.org>
Affects:        FreeBSD releases 4.6.2-RELEASE and later
                FreeBSD 4-STABLE prior to the correction date
                openssh port prior to openssh-3.6.1_4
                openssh-portable port prior to openssh-portable-3.6.1p2_5
Corrected:      2003-09-24 21:06:28 UTC (RELENG_5_1, 5.1-RELEASE-p7)
                2003-09-24 18:25:31 UTC (RELENG_4, 4.9-PRERELEASE)
                2003-09-24 21:06:22 UTC (RELENG_4_8, 4.8-RELEASE-p9)
                2003-09-24 21:06:15 UTC (RELENG_4_7, 4.7-RELEASE-p19)
                2003-09-24 21:05:59 UTC (RELENG_4_6, 4.6.2-RELEASE-p22)
                2003-10-03 20:55:14 UTC (openssh-3.6.1_5)
                2003-09-26 02:42:39 UTC (openssh-portable-3.6.1p2_5)
FreeBSD only:   NO

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

OpenSSH is a free version of the SSH protocol suite of network
connectivity tools.  OpenSSH encrypts all traffic (including
passwords) to effectively eliminate eavesdropping, connection
hijacking, and other network-level attacks.  Additionally, OpenSSH
provides a myriad of secure tunneling capabilities, as well as a
variety of authentication methods.

The SSH protocol exists in two versions, hereafter named simply `ssh1'
and `ssh2'.  The ssh1 protocol is a legacy protocol for which there
exists no formal specification, while the ssh2 protocol is the product
of the IETF SECSH working group and is defined by a series of IETF
draft standards.

The ssh2 protocol supports a wide range of authentication
mechanisms, including a generic challenge / response mechanism, called
`keyboard-interactive' or `kbdint', which can be adapted to serve any
authentication scheme in which the server and client exchange a
arbitrarily long series of challenges and responses.  In particular,
this mechanism is used in OpenSSH to support PAM authentication.

The ssh1 protocol, on the other hand, supports a much narrower range
of authentication mechanisms.  Its challenge / response mechanisms,
called `TIS', allows for only one challenge from the server and one
response from the client.  OpenSSH contains interface code which
allows kbdint authentication back-ends to be used for ssh1 TIS
authentication, provided they only emit one challenge and expect only
one response.

Finally, recent versions of OpenSSH implement a mechanism called
`privilege separation' in which the task of communicating with the
client is delegated to an unprivileged child process, while the
privileged parent process performs the actual authentication and
double-checks every important decision taken by its unprivileged
child.

II.  Problem Description

1) Insufficient checking in the ssh1 challenge / response interface
   code, combined with a peculiarity of the PAM kbdint back-end,
   causes OpenSSH to ignore a negative result from PAM (but not from
   any other kbdint back-end).

2) A variable used by the PAM conversation function to store
   challenges and the associated client responses is incorrectly
   interpreted as an array of pointers to structures instead of a
   pointer to an array of structures.

3) When challenge / response authentication is used with protocol
   version 1, and a legitimate user interrupts challenge / response
   authentication but successfully authenticates through some other
   mechanism (such as password authentication), the server fails to
   reclaim resources allocated by the challenge / response mechanism,
   including the child process used for PAM authentication.  When a
   certain number of leaked processes is reached, the master server
   process will refuse subsequent client connections.

III. Impact

1) If privilege separation is disabled, no additional checks are
   performed and an ssh1 client will be successfully authenticated
   even if its response to PAM's challenge is patently wrong.  On the
   other hand, if privilege separation is enabled (which it is by
   default), the monitor process will notice the discrepancy, refuse
   to proceed, and kill the faulty child process.

2) If more than one challenge is issued in a single call to the PAM
   conversation function, stack corruption will result.  The most
   likely outcome will be a segmentation fault leading to termination
   of the process, but there is a possibility that an attacker may
   succeed in executing arbitrary code in a privileged process.

   Note that none of the PAM modules provided in the FreeBSD base
   system ever issue more than one challenge in a single call to the
   conversation function; nor, to our knowledge, do any third-party
   modules provided in the FreeBSD ports collection.

3) Legitimate users may cause a denial-of-service condition in which
   the SSH server refuses client connections until it is restarted.
   Note that this vulnerability is not exploitable by attackers who do
   not have a valid account on the target system.

IV.  Workaround

Do both of the following:

1) Make sure that privilege separation is enabled.  This is the
   default; look for `UsePrivilegeSeparation' in /etc/ssh/sshd_config
   or /usr/local/etc/ssh/sshd_config as appropriate and make sure that
   any occurrence of that keyword is commented out and/or followed by
   the keyword `yes'.  The stock version of this file is safe to use.

2) Make sure that the PAM configuration for OpenSSH does not reference
   any modules which pass more than one challenge in a single call to
   the conversation function.  In FreeBSD 4.x, the PAM configuration
   for OpenSSH consists of the lines in /etc/pam.conf which begin with
   `sshd'; in FreeBSD 5.x, it is located in /etc/pam.d/sshd.  The
   stock versions of these files are safe to use.

   The following PAM modules from the FreeBSD ports collection are
   known to be safe with regard to problem 2) above:

    - pam_mysql.so (security/pam-mysql)
    - pam_pgsql.so (security/pam-pgsql)
    - pam_alreadyloggedin.so (security/pam_alreadyloggedin)
    - pam_ldap.so (security/pam_ldap)
    - pam_pop3.so (security/pam_pop3)
    - pam_pwdfile.so (security/pam_pwdfile)
    - pam_smb.so (security/pam_smb)

   pam_krb5.so from ports (security/pam_krb5) is known to use multiple
   prompts with the conversation function if the user's password is
   expired in order to change the user password.

3) Disable challenge / response authentication, or disable protocol
   version 1.

   To disable challenge / response authentication, add the line:
     ChallengeResponseAuthentication no
   to sshd_config(5) and restart sshd.

   To disable protocol version 1, add the line
     Protocol 2
   to sshd_config(5) and restart sshd.

V.   Solution

Do one of the following:

[For OpenSSH included in the base system]

The following patches have been verified to apply to FreeBSD 4.6, 4.7,
4.8, and 5.1 systems prior to the correction date.

Download the appropriate patch and detached PGP signature from the following
locations, and verify the signature using your PGP utility.

[FreeBSD 4.6]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh46.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh46.patch.asc

[FreeBSD 4.7]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh47.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh47.patch.asc

[FreeBSD 4.8]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch.asc

[FreeBSD 5.1]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch.asc

[FreeBSD 4.8-STABLE / 4.9-PRERELEASE / 4.9-RC]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh4s.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh4s.patch.asc

Execute the following commands as root:

# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/usr.sbin/sshd
# make obj && make depend && make all install

Be sure to restart `sshd' after updating.

# kill `cat /var/run/sshd.pid`
# /usr/sbin/sshd

or, in FreeBSD 5.x:

# /etc/rc.d/sshd restart

[For the OpenSSH ports]

Do one of the following:

1) Upgrade your entire ports collection and rebuild the OpenSSH port.

2) Deinstall the old package and install a new package obtained from
the following directory:

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/

[other platforms]
Packages are not automatically generated for other platforms at this
time due to lack of build resources.

3) Download a new port skeleton for the openssh or openssh-portable
port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz

Be sure to restart `sshd' after updating.

# kill `cat /var/run/sshd.pid`
# test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Path                                                             Revision
  Branch
- -------------------------------------------------------------------------
RELENG_4
  src/crypto/openssh/auth-chall.c                                 1.2.2.6
  src/crypto/openssh/auth.h                                   1.1.1.1.2.7
  src/crypto/openssh/auth1.c                                     1.3.2.10
  src/crypto/openssh/auth2-pam-freebsd.c                          1.1.2.8
  src/crypto/openssh/ssh_config                                   1.2.2.9
  src/crypto/openssh/ssh_config.5                                 1.4.2.5
  src/crypto/openssh/sshd_config                                 1.4.2.13
  src/crypto/openssh/sshd_config.5                                1.5.2.6
  src/crypto/openssh/version.h                               1.1.1.1.2.13
RELENG_5_1
  src/crypto/openssh/auth-chall.c                                 1.6.2.1
  src/crypto/openssh/auth2-pam-freebsd.c                         1.11.2.1
  src/crypto/openssh/ssh_config                                  1.21.2.1
  src/crypto/openssh/ssh_config.5                                 1.9.2.1
  src/crypto/openssh/sshd_config                                 1.32.2.1
  src/crypto/openssh/sshd_config.5                               1.11.2.1
  src/crypto/openssh/version.h                                   1.20.2.3
RELENG_4_8
  src/crypto/openssh/auth-chall.c                             1.2.2.4.2.2
  src/crypto/openssh/auth.h                               1.1.1.1.2.6.2.1
  src/crypto/openssh/auth1.c                                  1.3.2.9.2.1
  src/crypto/openssh/auth2-pam-freebsd.c                      1.1.2.5.2.2
  src/crypto/openssh/ssh_config                               1.2.2.8.2.1
  src/crypto/openssh/ssh_config.5                             1.4.2.4.2.1
  src/crypto/openssh/sshd_config                             1.4.2.12.2.1
  src/crypto/openssh/version.h                           1.1.1.1.2.10.2.3
RELENG_4_7
  src/crypto/openssh/auth-chall.c                             1.2.2.3.2.1
  src/crypto/openssh/auth.h                               1.1.1.1.2.5.2.1
  src/crypto/openssh/auth1.c                                  1.3.2.8.2.1
  src/crypto/openssh/auth2-pam-freebsd.c                      1.1.2.2.2.2
  src/crypto/openssh/ssh_config                               1.2.2.6.2.1
  src/crypto/openssh/sshd_config                             1.4.2.10.2.1
  src/crypto/openssh/version.h                            1.1.1.1.2.9.2.3
RELENG_4_6
  src/crypto/openssh/auth-chall.c                             1.2.2.2.2.2
  src/crypto/openssh/auth.h                               1.1.1.1.2.4.4.2
  src/crypto/openssh/auth1.c                                  1.3.2.7.4.2
  src/crypto/openssh/auth2-pam-freebsd.c                          1.2.2.4
  src/crypto/openssh/ssh_config                               1.2.2.4.4.2
  src/crypto/openssh/sshd_config                              1.4.2.8.2.2
  src/crypto/openssh/version.h                            1.1.1.1.2.8.2.4
[Ports]
  ports/security/openssh/Makefile                                   1.125
  ports/security/openssh/auth-pam.c                                   1.2
  ports/security/openssh/auth-pam.h                                   1.2
  ports/security/openssh/auth2-pam.c                                  1.2
  ports/security/openssh/patch-auth-chall.c                           1.1
  ports/security/openssh-portable/Makefile                           1.78
  ports/security/openssh-portable/auth2-pam-freebsd.c                 1.5
  ports/security/openssh-portable/patch-auth-chall.c                  1.1
  ports/security/openssh-portable/patch-auth-pam.c                    1.1
  ports/security/openssh-portable/patch-auth-pam.h                    1.1
- -------------------------------------------------------------------------

Branch                       Version string
- -------------------------------------------------------------------------
RELENG_4                     OpenSSH_3.5p1 FreeBSD-20030924
RELENG_5_1                   OpenSSH_3.6.1p1 FreeBSD-20030924
RELENG_4_8                   OpenSSH_3.5p1 FreeBSD-20030924
RELENG_4_7                   OpenSSH_3.4p1 FreeBSD-20030924
RELENG_4_6                   OpenSSH_3.4p1 FreeBSD-20030924
- -------------------------------------------------------------------------

To view the version string of the OpenSSH server, execute the
following command:

  % /usr/sbin/sshd -\?

or for OpenSSH from the ports collection:

  % /usr/local/sbin/sshd -\?

The version string is also displayed when a client connects to the
server.

VII. References

<URL:http://www.openssh.com/txt/sshpam.adv>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/gFCoFdaIBMps37IRApUWAJ9BZoW/uBY1Q0Phr3iQGBq8/I14dgCaAzvc
7gHHrB5lxeBXWIB37CXpM5s=
=DC+H
-----END PGP SIGNATURE-----
